Mozilla released Firefox 26, which introduced click-to-play and patched 15 security vulnerabilities.
Other browsers adopted click-to-play, which is security that requires users to authorize the use of a plug-in when a website or page element requires it. It acts as a protection against a rising tide of exploits that leverage bugs in plug-ins, particularly Adobe’s Flash Player and Oracle’s Java.
Google’s Chrome has long offered click-to-play, although it comes turned off by default.
In January 2013, Mozilla said it would require click-to-play for all installed plug-ins except for Flash, then later added the feature to developer and beta builds of Firefox 26.
But when the browser debuted Tuesday, only the Java plug-in was stuck behind the click-to-play wall; other plug-ins automatically ran. According to Mozilla, more testing was necessary before expanding click-to-play to all plug-ins.
Firefox 26 also saw the end of “MemShrink,” a two-year project to reduce the browser’s memory footprint that focused on plugging leaks created when code doesn’t properly release memory after a chore completes. The leaked memory never returns to the available pool, reducing what’s available for other applications, or even for Firefox.
Complaints about Firefox’s memory usage have historically centered on the browser’s habit of not releasing memory when tabs are closed.
Mozilla brought in patches for 15 vulnerabilities. A half-dozen of the fixes were critical, Mozilla’s most serious threat ranking.
Among the critical vulnerabilities were several “use-after-free” bugs, a type of memory management flaw.
Users can download Windows, Mac and Linux editions of Firefox 26 from Mozilla’s site; already installed copies will upgrade automatically. Users of Firefox for Android can retrieve the update from the Google Play store.